Wednesday, October 31, 2018

The Samsung Smartphone Iris Scanner

Introduction

I have a new smartphone that can use biometric technology—specifically, an iris scanner—to
authenticate me (i.e., to unlock itself). Though I was initially thrilled at
the space-age modernity and ease of this feature, I ultimately decided not to continue using it, for a reason
that may surprise you.

Why biometrics?

Biometric authentication might seem to some like a solution
looking for a problem. Why not just use a password or PIN to unlock a phone or
other device? Actually, static passwords are pretty fallible. People are lazy
and choose really lame passwords. It’s also possible to intercept them; both my
daughters managed to learn my smartphone’s PIN by looking over my shoulder.

But that’s not actually the biggest problem with traditional
authentication. After all, security can be increased by using two factors,
e.g., a static PIN or password plus a token or app that generates a new
password every minute. But this process is annoying. To securely connect my
work PC requires a complicated password to unlock it, followed by VPN authentication
involving a numeric user ID, an 8-digit static PIN, and a 6-digit constantly
changing PIN that I need to get from my phone, which (until recently) required that
I unlock it with yet another 6-digit PIN. That’s 42 keystrokes total.

Meanwhile, throughout the day I’m typing this or that other
username and password to reach various resources; I have well over 100
different logins to keep track of. Most of the time, the password field you
type into doesn’t show you what you’re typing—just asterisks. This leads to
typos, of course, so you have to start over. If you’re at a café, this makes
sense, but don’t most of us work in an office or at home 90% of the time? Why
not show the password by default and have an optional “mask” button for public
spaces?

This is where fingerprint readers, facial recognition, and
iris scanning can really help. They’re faster and easier, removing an annoyingly
repetitive behavior.

Samsung optical
recognition

My new Samsung Galaxy S9+ phone has three ways of optically
authenticating the user. It can use facial recognition (i.e., using the
front-facing camera to see if it’s my face); it can use an infrared scanner to
inspect my irises and compare them to the baseline image I stored in the phone;
or it can use both. In practice, the facial recognition isn’t considered secure
enough for sensitive applications. The combined method is also pointless, because
the phone tries the less rigorous facial recognition method first, thus dispensing
with the secure iris scan most of the time. In practice, only the iris scanner by
itself makes any sense.

So, does the iris scanning work? There are two definitions
of “work.” First, the phone needs to easily perform the test and unlock itself,
without any false negatives (i.e., failing to recognize my irises). On top of
this, the authentication has to actually be secure (i.e., avoid being circumvented
by a malicious actor).

At first blush, the iris scan seems great. You swipe up from
the bottom of the touch-screen to tell the phone to scan you; then, a fraction
of a second later, your phone is unlocked. It’s like magic, and far easier than
the six-digit PIN I had to type on my old phone. (That was actually seven taps
total: the PIN and then—pointlessly—having to tap Enter.)

As far as whether the technology really is secure, that’s
harder to ascertain because it’s like proving a negative. But honestly, I don’t care
if it’s completely foolproof. For me, the security needs to meet exactly two
standards: 1) my employer’s IT department trusts it; and 2) Google Pay trusts
it. I don’t see that there’s that much real risk involved here. After all, what
are the odds that a malicious actor will gain physical access to my phone?
Negligible. And if someone did, well, I’d kick his ass! (Meanwhile, if I were
to lose my phone, one quick phone call to corporate IT would have it wiped
clean—i.e., “bricked”—within minutes.)

That said, this is a full-service blog so I’ll share what my
cursory Internet research turned up. Yes, somebody has already hacked this technology. They used a digital camera with an infrared light, captured a photo of
somebody’s irises, printed it out, and then put a contact lens over the iris in the printout to create the right curvature. One article called this “alarmingly easy” but is
it, really? I don’t typically let strangers take a photo of my irises in
infrared mode from three feet away without my consent. Meanwhile, let’s not
forget that this methodology still requires
that the malicious actor get physical access to my phone. How’s he gonna do
that? And what exactly does he hope to get off my phone … my beer photos?

Anybody who fixates on security measures involving physical
access is missing the point. This is not how hackers operate. Let me explain
how they actually do their thing. Recently I was sitting in a doctor’s office
reading Readers Digest and came
across an “article” (i.e., thinly veiled ad) for a free app that gives
emergency first responders a way to get pertinent info off your phone if they
find you unconscious in a ditch. They will want to find out if you have any
medical conditions, and have a way to contact your family members to let them
know you’ve been in an accident. Without a screen lock this is pretty easy—they
just call the last number you dialed, or sift through your contacts. But with a
screen lock, things get harder. The app described by the Reader’s Digest article makes your medical information and emergency
contacts available when your phone is still locked. Pretty cool, right?

Well, no, as it turns out. I downloaded the app and read the
privacy policy. (If you never do this, you might consider starting,
particularly when the creator of an app isn’t Google or Apple.) I discovered
that this software monitors and reports all your browsing activity, even when
you’re not using the app! In other words, it’s egregiously violating your
privacy (which is why it’s offered for free). That’s the real risk, folks … not
somebody stealing your phone and using it.

(By the way, if you want to make your emergency info
available to first responders via your locked phone, check the website of your
phone manufacturer. My old Motorola phones supported this natively, as does my
Samsung.)

The problem with optical scanning

So the Samsung iris scan looks pretty good, right? If so why
this post? Well, as is so often the case, the honeymoon was brief.

A few days into my use of the iris scan authentication, I started
having some problems. Usually the scan was almost instant, but then I
challenged it in several ways. I used it while wearing contact lenses, then
glasses, then sunglasses. With the first two, the phone had to work a little
harder to get a good scan, but eventually worked. With sunglasses—no dice.

Still no big deal, right? But over time, seemingly as I
myself got tired, this phone seemed to be working harder and harder to
authenticate me. Things got worse in the evening, perhaps due to low ambient
light and/or my increasingly dilated pupils. Instead of just flickering, the
screen was putting two circles on the screen for me to align my eyes with. I
couldn’t get a screenshot of this, but here’s how Samsung depicts it:

Still not a big deal, but not instant and automatic either.
It had me doing a little bit of work, and I don’t like doing a little bit of work. I’m a Californian, man! I don’t
have time for instant gratification!
Moreover, I had the distinct sense that having this red light shining in my
eyes was starting to cause discomfort.

Could this discomfort be in my head? Absolutely! Try this
thought exercise: do you feel a little bit of an itch right now, on your head?
Just a little? Doesn’t it kind of feel like something is crawling on it?
Weren’t you sitting under a tree earlier? Isn’t this the season for spiders?
Isn’t it entirely possible that one dropped down into your hair? There’s a
little itch—admit it. You have to scratch now, don’t you? I do, and I’m the perpetrator
of this ruse! (Don’t you feel a yawn coming on, too?)

The point is, any fear of side effects with this technology
can start to niggle, and a little fear isn’t unreasonable. A government
facility employing iris scans would screen you once every few days or weeks.
But phones? We unlock these devices many dozens of times a day. I don’t think
it’s irrational to wonder if frequent iris scanning might cause a cumulative
problem. After all, this use of the technology is totally new.

I’m clearly not the first person to wonder if this is safe.
Consider the second Google autocomplete suggestion that appeared when I typed “samsung iris scanner”:

As luck would have it, I had the opportunity to talk to a
Samsung engineer about the safety of this feature. (Never mind how.) I should point out that our conversation was basically off the record. (I
didn’t present myself as a blogger, because I don’t enjoy having people laugh
in my face.) I also want to be clear that this guy didn’t utter a single
sentence that would incriminate Samsung in any way. Everything he said
indicated an essential trust in this technology.

At the same time, there were some nonverbal cues indicating
that perhaps he’s not entirely confident
that there’s zero risk here. This wasn’t just my interpretation … several
others witnessing the exchange chuckled out loud a couple times. Due to the
very essence of nonverbal communication, I cannot explain exactly how he
hedged. Perhaps the most tangible detail I can convey is this cryptic statement
he made, in response to my question about the high number of scans these phones
are doing: “Everything in moderation, including moderation, right?”

(It was a great tech-geek conversation, by the way. The
oddest thing he said was, “You can remove your irises!” I pictured a gory
self-surgery for a moment before realizing he meant I could remove the stored
benchmark image and try again. The idea is, if I had captured the baseline iris
scan in bright daylight, then the authentication scans would also work best in
bright daylight. You can experiment with different lighting conditions to
capture the best sample, which will make scans work in the widest variety of
conditions. The phone has an almost comically named “Manage Irises” menu for
this.)

In the final analysis, I didn’t find any legitimate reason
to act on my concerns … I recognize them as knee-jerk reactions, more paranoid
than rational. There’s just not enough there to suggest a safety problem with
this authentication method. But there’s a less slippery aspect to it that
ultimately did cause me to abandon it anyway. Look at this photo:

What do you notice about that photo, particularly in contrast
to the one before it? The guy in the photo looks pretty tired, doesn’t he? The
Samsung photo is much nicer. The woman—surely a model—has really nice smiling
blue eyes. If I looked like her, I might actually enjoy iris scans. Hell, I’d probably even snap selfies! I might
even use Instagram! But the reality is much different. Unlocking my phone,
particularly during the evenings after a hard day, became downright
demoralizing. Here’s what I found myself looking at:

Look at those bags under my eyes! It’s depressing! I also
don’t have any eyebrows left. Where the hell did they go? I used to have eyebrows. In fact, I had
very nice eyebrows. I think they were my best feature—and now they’re gone … at
some point they just straight-up vacated. Another ravage of age. And the above
photo doesn’t even capture the expression my eyes would betray during these
scans … it was one of confusion and frustration, which are decidedly
unflattering.

I’m not kidding here: these iris scans were making me feel
old and lost. Haven’t these damn phones, with their social media and their
selfies, done enough to undermine our self esteem, without reminding us,
through this new form of scrutiny, how tired and doddering so many of us have
become?

The solution

Happily, there was an elegant solution to my quandary: I
switched to the fingerprint reader. I’d initially refused to consider this
technology because I cannot stand it on my iPad Air. That device’s fingerprint
reader has always enraged me. It works about one in ten times. Typically I try
the it three times in a row to no avail, and then the iPad gives up and makes
me type my password. So it’s actually adding
effort and frustration, the net result being I almost never use my iPad for
anything. It just sits in a drawer.

Samsung, on the other hand, has a great fingerprint reader.
For one thing, it’s located on the back of the phone, which just makes sense.
Plus, it happens to work perfectly. Furthermore, it offers a significant extra
advantage: you don’t have to “wake up” the phone to use it. With the iris
scanner, you have to un-snooze the phone by pressing a button on the side, and then
you swipe up on the screen, point your eyes at the phone, and then it does the
scan. With the fingerprint reader, even if the phone is sound asleep, you just touch
the reader and the phone unlocks. I can do this in the same motion as pulling
my phone out of my pocket, so it’s instantly ready to use. Moreover, the phone can
store multiple fingerprints, so another trusted person (e.g., your spouse) can borrow
it (e.g., you’re driving and he or she wants to navigate). I give Samsung’s fingerprint
authentication an A+ … they really nailed it.

(No, Samsung didn’t give me a free phone or anything for
writing this; I’d be required to disclose that if they did. So, if anyone from
Samsung is reading this: you’re welcome.)